What “too many reports” means exactly and can this threshold be edited somewhere?

A host is recorded in the 'dos_suspected' table when it is reported by the firewall rulebase or IPS code. The entry is inserted for a short period of time (1 second). If too many reports are received for that host during this time, it will be placed in the penalty box table 'dos_penalty_box'.

Thanks for your reply. As I understand there are two different ways, why an ip address will be blocked with penalty box.

Fist is packet per second dropped and the second mechanism are IPS events. PPS for IPS events do not seem to make sense to me.

My question is under which circumstances an ip address will be suspected in case of an IPS event. How many IPS events are needed and are there differences in relation to the severity of an IPS event?

I know other vendors, who you can choose how many IPS events (attacks) are tolerated in a period of time before the source ip address will be quarantined. As example, if an IP try to use a vulnerability once, all other tries and connections from this IP will be blocked for x minutes.